Posted
by
timothyon Tuesday June 19, 2012 @09:24AM
from the excuse-me-while-I-pluck-out-your-eye dept.

alphadogg writes "Revelations by The New York Times that President Barack Obama in his role as commander in chief ordered the Stuxnet cyberattack against Iran's uranium-enrichment facility two years ago in cahoots with Israel is generating controversy, with Washington in an uproar over national-security leaks. But the important question is whether this covert action of sabotage against Iran, the first known major cyberattack authorized by a U.S. president, is the right course for the country to take. Are secret cyberattacks helping the U.S. solve geopolitical problems or actually making things worse? Bruce Schneier, whose most recent book is 'Liars and Outliers,' argues the U.S. made a mistake with Stuxnet, and he discusses why it's important for the world to tackle cyber-arms control now."

How could contributing to the spread of clever computer-intrusion technologies(both with things like Stuxnet, and with the pernicious habit of doing business with the sort of slimy vulnerability-sellers whose customers want to exploit, not patch, them), possibly be a bad idea for a country whose citizens, businesses, government, and R&D capabilities are overwhelmingly dependent on computerized infrastructure?

I have to disagree with you here. To ensure that your businesses and citizens and government and infrastructure are sound, you should always be investigating modes for attacks and publishing them. My logic is that if the United States Government is able to develop this, then so is China's, Russia's, India's, etc so get it out in the open already. In fact, your claim almost seems to advocate security through obscurity. If you want to ensure that people aren't pilfering data without your knowledge, publish your exploits and what you see as "contributing to the spread of clever computer-intrusion technologies" could just as well be seen as "telling SCADA and other makers to pull their heads out of their asses and fix this." Also, your statements can apply to every single country now, even third world countries are largely dependent on networking hardware to function.

The reason this is a "destabilizing and dangerous" action was because it was effective -- not because the US Government secretly given hackers a bunch of ways to hack every computer ever made. Also, the US kind of lost the "moral high ground" now when someone hacks their nuclear facilities with the intent of disabling our capabilities. Use an effective cyber attack against a nation state that does not have similar capabilities... "destabilizing and dangerous" is a definition of what you can expect the repercussions to be.

Bruce Schneier is NOT a diplomat and has fuck all experience in dealing with international affairs. And what sort of Diplomacy are we supposed to use when "Stern Letter Writing", "UN Inspections" and threats fail? Obama showed quite a bit of creativity and tact in performing an elaborate Cyber-Attack that left our best Security Researchers stumped for months and seems to have worked quite well in derailing their bomb making efforts.

Would Schneier prefer we have gone ahead with Israel's agenda and bombed the suspected weapons making facilities and risked killing people -- even civilians? Or is he just the sort of Freedom Loving Pacifist that would have us dawdling around writing more "Sternly Worded Letters" until Iran finally trotted out a bomb and wiped out an entire city full of people?

There is only one source who says they have "evidence" and keeps pointing the finger at the US and Israel about Stuxnet, Flame, and other Trojans, and that is Kaspersky, which is a Russian AV company. Nobody else out there, be it Panda, Symantec, McAfee, or independent researchers makes these conclusions. It might just be me, but it appears that there might be a political agenda here.

Russia has a lot to gain by making the US appear at fault for these Trojans. There is a battle now for who runs the Net, either the US or the UN. With enough propaganda, it is possible they can wrest control of the Internet from ICANN. Result: You think SOPA/PIPA were bad, now think of some country you never lived in dictating the rules and fees for your website in your own country. Post a snide comment about the rulers in Thailand, in a few hours, your domain and IP have been pulled. Unlike the US which caves into international pressure and is smart enough to not fool around with anti-US sites (Pravda, Al-Jazeera), there is no stopping a UN backed replacement for the ICANN to do whatever it pleases. Unlike the US where the paid for fat-cats will back off when sites like Google shut down, China and Russia don't kowtow to public opinion, and PIPA/SOPA/ACTA and all that other stuff can easily become the de facto world law just because the one ruling body says so.

There is no way to prove whether a nation is engaged in offensive cyber warfare.
It will always be possible to say those things were done by criminals and malefactors. "The secretary will disavow all knowledge of your actions."
If those leaks had happened in China, the leakers would be shot and their families billed for the bullets. Therefore, if a treaty is signed, it will be a one-way treaty partially enforceable in the West only.

I apologize if I wasn't clear; but my point was that possessing electronic offense and improving electronic defense are directly at odds with one another(and, as you note, we are hardly the only country with a supply of adequately smart geeks.)

If you want to use an attack, you need a vulnerability. If you want to use an attack against a really clueful adversary, you may need a really juicy vulnerability, a set of zero-days(as with Stuxnet) or that nifty code-signing trick with Flame, or the like. This is where the trouble starts:

Your attack people now have a direct interest in keeping certain vulnerabilities unfixed. Since much of the world's software is widely used, and has a reasonably publicly visible update process, there is no viable way to sneak out some kind of 'Important vulnerability fix for Win32 systems in the US only'. Either you keep the bug secret, leaving your own people vulnerable, in the hopes that you can hit the other guy before he discovers the problem, or you protect everyone from that vulnerability by getting it fixed.

Having US 'national security' types researching vulnerabilities is a good thing; but only if they do so with the intent of getting them fixed(US-CERT vulnerability reporting, for instance, makes us stronger.) That is how you 'get it in the open'. Things like Stuxnet and Flame were based on vulnerabilities that were kept in the dark(during which time they could have been used against us) for as long as possible.

It's not that I advocate security through obscurity(quite the opposite, in fact), it's that in order to possess good offensive tools you must, necessarily, have knowledge of vulnerabilities that you are concealing. You had to discover them in order to build your attack system, you have to hide them in order to preserve its effectiveness. That's the problem. Possession of useful offensive capabilities implies that you are condemning everyone, your own people included, to security-by-obscurity.

The pacific portion of WWII ended because we annihilated two cities - civilians and all - and threatened to to turn the island of Japan into a wasteland. War sucks, and shouldn't need to exist, but it does. Good? Bad? Think of it this way - do you want to be the country that doesn't have nuclear weapons because they're "against the rules," or do you want to have them because - rules or not - people are much less likely to fuck with you if they know you can destroy them?

The astonishing thing is that anyone in the Obama administration was stupid enough to think that secrecy could be maintained on this indefinitely. Unlike physical warfare, in which the aftermath can be sanitized and obfuscated, software never goes away.

We all know this: full erasure of a worm in the wild is impossible to ensure, because you never know when some vital assumption is going to change. So the Iranians would have caught on eventually.

Add to that the equal certainty that eventually a programming error or assumption violation would result in the worm getting out into the larger would and you have as close to a guarantee as possible that Stuxnet would eventually be discovered and traced back to its source.

Yet it appears the attack was planned on the basis of perpetual secrecy, which is just stupid. I'm sure there are lots of idiots who will say, "But if only the world had been a little different than the way it actually is then THIS PARTICULAR leak wouldn't have happened!" Sure, but some other leak would have.

The militarization of the 'Net by the Government of the United States started under George W Bush and ramped up dramatically by Barrack Obama is one of the biggest disasters in the history of information technology, and the ultimate economic cost is going to dwarf the cost of Bush's idiotic physical wars.

Schneier is a fool, nothing can stop cyber warfare because there is no way of monitoring it. With all other weapons treaties you have some chance of verifying them but all cyber warefare needs is a laptop and a WiFi hotspot. So it is coming and we all know it. Good time to buy shares in secure products and cyber security businesses.

Sometimes I find it astonishing how naive people can be. And if you see a vulnerability in scum like Kim Barking Mad Teapots North Korea or Ahmadinejad's Iran then we should be doing our best to take them out now whilst we still can.

No, not even that. They wouldn't be so intent on nuclear weapons if Bush hadn't named them a part of the "Axis of Evil" that included Saddam Hussein's Iraq at the time. Considering what happened to Iraq (and Afghanistan, but not to Pakistan), pursuing nuclear weapons was their only choice.

No, Arthur C. Clarke talked about this w.r.t. technology. There are fears that are destabilizing, and fears that stabilize. If your "enemy" thinks that you are going to come to him and take his stuff, that fear destabilizes, weapons escalation is destabilizing. If your "enemy" has good intelligence, and knows that your weapons are secure and non-mobile, that fear is stabilizing, he knows he's safe now, but if he attacks those weapons are available.
To paraphase Mr. Clarke, more nuclear bombs, destabilizing. More spy satellites, stabilizing.

That sad part of the human existence, is that if your "enemy" doesn't fear you in the least, and has no reason to believe you will oppose him, he *will* come and take your stuff.

That's not entirely the modern problem. We had relations relatively stabilized under Clinton. When Bush II adopted the PNAC world view, severed our relations with NK and Iran, declared his axis of evil, then scaled his foreign policy based on access to nuclear weapons, that basically told every two-bit dictator on the planet that a nuclear arsenal is "U.S. Invasion"-bane. That completely contradicted the message we've been trying to communicate to 3rd world countries for 50 years; nuclear weapons are expensive, hard to secure, dangerous, incite regional arms races, and an irreversible strategic choice.

The new mantra (as perceived around the world) is the US wants nukes and doesn't want you to have them just in case we want to change your leadership. This is all a part of the horrible damage to our image that probably won't ever be righted.